1. Field of the Invention
The present invention relates to a setting method of single sign-on mapping which realizes single sign-on between services which support multiple tenants.
2. Description of the Related Art
Conventionally, a mechanism of single sign-on (referred to as “SSO” below) based on a Security Assertion Markup Language (referred to as “SAML” below) is known as a technique of cooperating user authentication between a plurality of servers under different domains. A system which realizes the SAML includes a server group (Identity Provider which is referred to as an “IdP” below) which provides an authenticating function. Further, the system which realizes the SAML also includes a server group (Service Provider which is referred to as an “SP” below) which is configured with at least one or more servers which provide a function by trusting an authentication result of the IdP. A user who utilizes the SSO based on the SAML registers authentication information such as user IDs of respective domains of the above IdP and SP.
For example, the user is authenticated by an ID provider based on user authentication information such as a user ID and a password managed by the IdP.
When the user is provided with a function of the SP, the user needs to access the IdP and be authenticated. For example, the user is authenticated by the IdP using the user ID and the password managed by the IdP. Further, the IdP issues to the authenticated user a SAML assertion which is a certificate of authentication for the SP. The SP authenticates the user by verifying whether this SAML assertion is issued by the trusted IdP. In this case, the user can enjoy services provided by the server group which cooperates with the SP, without inputting authentication information managed by the SP.
As described above, SSO based on the SAML depends on a trust relationship between the IdP and the SP. Hence, before SSO is realized, an ID provider and a service provider need to have a trust relationship in advance. This trust relationship is established by trading meta data which describes which function of a plurality of functions of the SAML performs SSO, and an electronic certificate which certifies that an assertion is issued by an ID provider. Specific contents of the meta data and a technique related to establishment of this trust relationship are defined by SAML V2.0 which is a standard technology. Meta data and Information such as an electronic certificate for verifying an assertion are referred to as “prior information”. The service provider performs verification using the prior information when verifying whether the assertion satisfies the requirements. Further, the prior information is generally data issued by an ID provider.
In addition, when the user accesses the SP by way of SSO, a user ID for the SP is not passed to the SP as described above. More specifically, when the user first accesses the SP, this access is redirected to the IdP. Further, the user accesses the SP by using a SAML assertion issued when logging in the IdP. Meanwhile, an SP ID for accessing the SP by using an IdP ID included in the SAML assertion or information corresponding to the IdP ID is specified. To specify the SP ID from the IdP ID included in this SAML assertion or information corresponding to the IdP ID, a mapping table which indicates a correspondence relationship between the IdP ID or information corresponding to the IdP ID and the SP ID is required. In addition, creating this mapping table is referred to as “single sign-on mapping” (referred to as “SSO mapping” below). To realize SSO, it is necessary to generate an adequate mapping table by SSO mapping.
Further, Japanese Patent Application Laid-Open No. 2004-234329 discloses an SSO technique of creating an SP ID in advance and keeping the ID without allocating the ID to a user. Further, Japanese Patent Application Laid-Open No. 2004-234329 discloses an SSO mapping server which, when succeeding authentication by passing an ID and a password to an IdP, allocates an account of the SP to the IdP ID. This system realizes SSO mapping if validity of a user can be checked by the IdP.
However, a conventional method has the following problem. That is, conventionally, it is not taken into account a case where a user ID is deleted after SSO mapping is performed once, and the same user ID is registered.